Attorney-General Mark Dreyfus announced that more than 100 security experts from the Australian Federal Police (AFP) and the Australian Signals Directorate (ASD) will work together in a permanent Joint Standing Operation. They will cooperate with overseas partner agencies (including Interpol and U.S.-based Federal Bureau of Investigation) to find culprits behind two massive cyber-attacks on Optus and Medibank, which affected more than 15 million customers.
Cybercriminals who stole private information from millions of Australians, are now selling stolen data on the Dark Web, as the two companies refused to give into their ransom demands. Furthermore, the Australian Government might bring in new laws that would make ransom payments illegal.
Since the data breaches, some Australians have reported that their accounts were accessed and personal data misused in suspected identity thefts.
The Optus data hack reportedly cost the company in excess of $140 million.
Some states, such as Queensland, have already tightened personal data verification procedures after the Optus data breach.
Lawyers are arguing that large companies are storing huge amount of customers’ data while potentially ignoring privacy laws. Australia’s leading class action law firms are said to be considering options to seek compensation on behalf of customers over data breaches, in what could become the biggest class action lawsuit that Australia has seen.
“Hacking the hackers”
Cyber-attacks on Optus in September 2022, owned since 2001 by the Singapore telecommunications company known as Singtel, and the hacking of Medibank private health insurance fund in October 2022 (which the Abbott government privatised in 2014) pose a serious threat to stored personal data of millions of Australians.
Drivers licences, bank account information, passport and Medicare numbers as well as medical procedures and claims by Australian customers (including sensitive information about pregnancy terminations) are now to be found on the Dark Web following the two companies’ refusal to pay any ransom to cybercriminals.
Minister for Home Affairs Clare O’Neill said on 11 November 2022 that Australia will “hack the hackers”, and bring them to justice. To this end, Australia might need to strengthen it cyber-security laws. Minister for Cyber Security, a post which O’Neill shares with the Home Affairs portfolio, was created in June 2022 for the first time as a stand-alone ministerial portfolio.
While the previous government allocated up to $10 billion in forward funding to strengthen Australia’s domestic cyber security capacity, including the offensive capability and response to the hacking incidents, policy priorities are likely to change under Labor. It is currently being debated how Australia’s legal framework could be changed to better protect Australians from future cyber-attacks, which cost the economy more than $33 billion a year.
AFP Commissioner blaming the “Russians” and associates
AFP Commissioner Reece Kershaw blamed a loosely-affiliated group of hackers with links to Russia for the data breaches.
Commissioner Kershaw said:
“…We believe that those responsible for the breach are in Russia. These cyber criminals are operating like a business with affiliates and associates, who are supporting the business.
Everyone involved in this attack is a focus of the ongoing investigation through the AFP-led Operation Pallidus. Investigators under Operation Guardian are also scouring the internet and dark web to identify people who are accessing this personal information and trying to profit from it.”
Commissioner Kershaw urged all Australian businesses to ensure that their data protection systems are secure.
Small and medium-sized businesses need further support
It is certainly not enough to rely on the big companies to protect Australians from overseas criminals who operate in the borderless cyber world. As seen from the two data hacks, nobody is immune to the personal data breaches—with the Australian Prime Minister, Anthony Albanese, reportedly also among concerned Medibank customers. Cyber Security Minister Clare O’Neil said that Australia needs to “wake up out of the cyber-slumber”, describing current privacy laws as “a national vulnerability”. The Australian Government must also offer support to small and medium-sized businesses and financial incentives to better store and protect customer data.